security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update filter image

Browse Source
This commit is contained in:
frack113
2022-10-31 19:40:07 +01:00
parent f27ddc8a0f
commit a1fef566bd
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/image_load_susp_vss_ps_load.yml
+5 -1
View File
@@ -35,7 +35,11 @@ detection:
- '\rundll32.exe'
- '\inetsrv\iissetup.exe'
- '\inetsrv\appcmd.exe'
Image|contains: 'c:\windows\'
Image|startswith: 'C:\Windows\'
filter_programfiles:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_update:
CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
CommandLine|contains: '\dismhost.exe {'